Detecting domain‐flux botnet based on DNS traffic features in managed network

Truong, Dinh-Tu; Cheng, Guang

doi:10.1002/sec.1495

Cited by 38 publications

(41 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Based on those results, other previous studies have attempted to distinguish between benign and malicious domains using only their character strings in manners similar to our approach. Truong et al [27] proposed a technique that learns and predicts character patterns using bigram models with supervised learning algorithms, and Anderson et al [28] extended this technique using character-level models with long short-term memory (LSTM) networks. Qiao et al [29] combined LSTM networks with attention mechanisms to give proper weight values to the characters in domain names.…”

Section: B Related Workmentioning

confidence: 99%

“…Notably, the idea of using randomization to facilitate malware detection is not novel. Indeed, several studies based on this strategy have been reported [27], [28], [29], [30], [38], [39]. For example, Lin et al [38] proposed a method for decrypting malware communications for tracebacks to cybercriminals, while Wahab et al [39] proposed a method for detecting compromised virtual machines by monitoring behavior at the hypervisor level.…”

Section: Proposalmentioning

confidence: 99%

“…For example, Lin et al [38] proposed a method for decrypting malware communications for tracebacks to cybercriminals, while Wahab et al [39] proposed a method for detecting compromised virtual machines by monitoring behavior at the hypervisor level. Other studies [27], [ [29], [30] have attempted to apply ML or DL algorithms to distinguish between benign and malicious domains by noting the differences in character strings in the same manner as the approach proposed here. However, the cumbersome task of assigning labels to datasets and the discrepancies that arise between training and actual datasets have thus far prevented ML-and DL-based detection methods from exhibiting their full potential performance levels.…”

Section: Proposalmentioning

confidence: 99%

“…For comparison with the proposed approach, we implemented three techniques for identifying malicious domains from only the domain name string based on [27], [28], and [29]. The specifications of the machine used for implementation are given in Table III.…”

Section: A Experimental Setup For Labeled Datasetsmentioning

confidence: 99%

See 3 more Smart Citations

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Satoh

Fukuda

Hayashi

et al. 2020

IEEE Open J. Commun. Soc.

View full text Add to dashboard Cite

Some of the most serious security threats facing computer networks involve malware. To prevent malware-related damage, administrators must swiftly identify and remove the infected machines that may reside in their networks. However, many malware families have domain generation algorithms (DGAs) to avoid detection. A DGA is a technique in which the domain name is changed frequently to hide the callback communication from the infected machine to the command-and-control server. In this paper, we propose an approach for estimating the randomness of domain names by superficially analyzing their character strings. This approach is based on the following observations: human-generated benign domain names tend to reflect the intent of their domain registrants, such as an organization, product, or content. In contrast, dynamically generated malicious domain names consist of meaningless character strings because conflicts with already registered domain names must be avoided; hence, there are discernible differences in the strings of dynamically generated and human-generated domain names. Notably, our approach does not require any prior knowledge about DGAs. Our evaluation indicates that the proposed approach is capable of achieving recall and precision as high as 0.9960 and 0.9029, respectively, when used with labeled datasets. Additionally, this approach has proven to be highly effective for datasets collected via a campus network. Thus, these results suggest that malware-infected machines can be swiftly identified and removed from networks using DNS queries for detected malicious domains as triggers.

show abstract

Section: B Related Workmentioning

confidence: 99%

Section: Proposalmentioning

confidence: 99%

Section: Proposalmentioning

confidence: 99%

Section: A Experimental Setup For Labeled Datasetsmentioning

confidence: 99%

See 2 more Smart Citations

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Satoh

Fukuda

Hayashi

et al. 2020

IEEE Open J. Commun. Soc.

View full text Add to dashboard Cite

show abstract

“…The system is leveraging on the knowledge of the life cycle of malicious domains, as well as the observation of resource re-use across different attacks. Another similar work by Truong & Cheng, where they proposed a method to detect Zeus and Conficker that utilizes domain fluxing by analyzing the extracted the DNS traffic length and expected value that can distinguish between a domain name, by a human or botnets [5]. Nguyen & Tran on the other hand, modeled user behaviors and applying heuristic analysis approach to mobile logs generated during device operation process [7].…”

Section: Related Workmentioning

confidence: 99%

Recommender System based on Empirical Study of Geolocated Clustering and Prediction Services for Botnets Cyber-Intelligence in Malaysia

Zamani

Ariffin

Abdullah

2018

ijacsa

View full text Add to dashboard Cite

A recommender system is becoming a popular platform that predicts the ratings or preferences in studying human behaviors and habits. The predictive system is widely used especially in marketing, retailing and product development. The system responds to users preferences in goods and services and gives recommendations via Machine Learning algorithms deployed catered specifically for such services. The same recommender system can be built for predicting botnets attack. Via our Integrated Cyber-Evidence (ICE) Big Data system, we build a recommender system based on collected data on telemetric Botnets networks traffics. The recommender system is trained periodically on cyber-threats enriched data from Coordinated Malware Eradication & Remedial Platform system (CMERP), specifically the geolocations and the timestamp of the attacks. The machine learning is based on K-Means and DBSCAN clustering. The result is a recommendation of top potential attacks based on ranks from a given geolocations coordinates. The recommendation also includes alerts on locations with high density of certain botnets types.

show abstract

LagProber: Detecting DGA-Based Malware by Using Query Time Lag of Non-existent Domains

Luo

Wang

et al. 2018

Information and Communications Security

View full text Add to dashboard Cite

Detecting domain‐flux botnet based on DNS traffic features in managed network

Cited by 38 publications

References 25 publications

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

A Superficial Analysis Approach for Identifying Malicious Domain Names Generated by DGA Malware

Recommender System based on Empirical Study of Geolocated Clustering and Prediction Services for Botnets Cyber-Intelligence in Malaysia

LagProber: Detecting DGA-Based Malware by Using Query Time Lag of Non-existent Domains

Contact Info

Product

Resources

About